More WIP

8 years ago · a0f4b09fa9
1 changed files with 117 additions and 80 deletions
--- a/protocol/protocol.tex
+++ b/protocol/protocol.tex
@ -35,6 +35,7 @@

 \newcommand{\term}[1]{\textsl{#1}\xspace}
 \newcommand{\termbf}[1]{\textbf{#1}\xspace}
+\newcommand{\conformance}[1]{\textmd{#1}\xspace}

 \newcommand{\Zcash}{\termbf{Zcash}}
 \newcommand{\Zerocash}{\termbf{Zerocash}}
@ -42,6 +43,12 @@
 \newcommand{\ZEC}{\termbf{ZEC}}
 \newcommand{\zatoshi}{\term{zatoshi}}

+\newcommand{\MUST}{\conformance{MUST}}
+\newcommand{\MUSTNOT}{\conformance{MUST NOT}}
+\newcommand{\SHOULD}{\conformance{SHOULD}}
+\newcommand{\SHOULDNOT}{\conformance{SHOULD NOT}}
+\newcommand{\MAY}{\conformance{MAY}}
+
 \newcommand{\coin}{\term{coin}}
 \newcommand{\coins}{\term{coins}}
 \newcommand{\coinCommitment}{\term{coin commitment}}
@ -67,15 +74,18 @@
 \newcommand{\script}{\term{script}}
 \newcommand{\serialNumber}{\term{serial number}}
 \newcommand{\serialNumbers}{\term{serial numbers}}
-\newcommand{\publicAddress}{\term{confidential address}}
-% Let's rename ``privateAddress'' to something else, since it sounds like an oxymoron to me. (This is related to a code naming issue #602 and we might want to update both at the same time.)
-\newcommand{\privateAddress}{\term{confidential private key}}
+% Daira: This doesn't adequately distinguish between zk stuff and transparent stuff
+\newcommand{\paymentAddress}{\term{payment address}}
+\newcommand{\viewingKey}{\term{viewing key}}
+\newcommand{\spendingKey}{\term{spending key}}
+\newcommand{\keyTuple}{\term{key tuple}}
 \newcommand{\coinPlaintext}{\term{coin plaintext}}
 \newcommand{\coinPlaintexts}{\term{coin plaintexts}}
 \newcommand{\coinsCiphertext}{\term{transmitted coins ciphertext}}
-\newcommand{\transmitPublicAlgorithm}{\term{key-private encryption}}
-\newcommand{\transmitPrivateAlgorithm}{\term{key-private decryption}}
-\newcommand{\spendAuthority}{\term{spend authority}}
+\newcommand{\authKeypair}{\term{authorization}}
+\newcommand{\transmitKeypair}{\term{transmission}}
+\newcommand{\discloseKeypair}{\term{disclosure}}
+\newcommand{\keyPrivateAlgorithm}{\term{key-private encryption scheme}}
 \newcommand{\incrementalMerkleTree}{\term{incremental merkle tree}}
 \newcommand{\spentSerialsMap}{\term{spent serial numbers map}}
 \newcommand{\zkSNARK}{\term{zk-SNARK}}
@ -83,24 +93,26 @@
 \newcommand{\memo}{\term{memo field}}

 % key pairs:
-\newcommand{\PublicAddress}{\mathsf{addr_{pk}}}
-\newcommand{\PrivateAddress}{\mathsf{addr_{sk}}}
-\newcommand{\PublicAddressLeadByte}{\mathbf{0x92}}
-\newcommand{\PrivateAddressLeadByte}{\mathbf{0x93}}
-\newcommand{\SpendAuthorityPublic}{\mathsf{a_{pk}}}
-\newcommand{\SpendAuthorityPrivate}{\mathsf{a_{sk}}}
-\newcommand{\SpendAuthorityPublicOld}[1]{\mathsf{a^{old}_{pk,\mathnormal{#1}}}}
-\newcommand{\SpendAuthorityPrivateOld}[1]{\mathsf{a^{old}_{sk,\mathnormal{#1}}}}
-\newcommand{\SpendAuthorityPublicNew}[1]{\mathsf{a^{new}_{pk,\mathnormal{#1}}}}
-\newcommand{\SpendAuthorityPrivateNew}[1]{\mathsf{a^{new}_{sk,\mathnormal{#1}}}}
+\newcommand{\PaymentAddress}{\mathsf{addr_{pk}}}
+\newcommand{\ViewingKey}{\mathsf{addr_{viewkey}}}
+\newcommand{\SpendingKey}{\mathsf{addr_{sk}}}
+\newcommand{\PaymentAddressLeadByte}{\mathbf{0x92}}
+\newcommand{\ViewingKeyLeadByte}{\mathbf{0x??}}
+\newcommand{\SpendingKeyLeadByte}{\mathbf{0x93}}
+\newcommand{\AuthPublic}{\mathsf{a_{pk}}}
+\newcommand{\AuthPrivate}{\mathsf{a_{sk}}}
+\newcommand{\AuthPublicOld}[1]{\mathsf{a^{old}_{pk,\mathnormal{#1}}}}
+\newcommand{\AuthPrivateOld}[1]{\mathsf{a^{old}_{sk,\mathnormal{#1}}}}
+\newcommand{\AuthPublicNew}[1]{\mathsf{a^{new}_{pk,\mathnormal{#1}}}}
+\newcommand{\AuthPrivateNew}[1]{\mathsf{a^{new}_{sk,\mathnormal{#1}}}}
 \newcommand{\TransmitPublic}{\mathsf{pk_{enc}}}
 \newcommand{\TransmitPublicNew}[1]{\mathsf{pk_{enc,\mathnormal{#1}}}}
 \newcommand{\TransmitPrivate}{\mathsf{sk_{enc}}}
 \newcommand{\TransmitPrivateNew}[1]{\mathsf{sk_{enc,\mathnormal{#1}}}}
-\newcommand{\ViewPublic}{\mathsf{pk_{view}}}
-\newcommand{\ViewPublicNew}[1]{\mathsf{pk_{view,\mathnormal{#1}}}}
-\newcommand{\ViewPrivate}{\mathsf{sk_{view}}}
-\newcommand{\ViewPrivateNew}[1]{\mathsf{sk_{view,\mathnormal{#1}}}}
+\newcommand{\DisclosePublic}{\mathsf{pk_{disclose}}}
+\newcommand{\DisclosePublicNew}[1]{\mathsf{pk_{disclose,\mathnormal{#1}}}}
+\newcommand{\DisclosePrivate}{\mathsf{sk_{disclose}}}
+\newcommand{\DisclosePrivateNew}[1]{\mathsf{sk_{disclose,\mathnormal{#1}}}}
 \newcommand{\EphemeralPublic}{\mathsf{pk_{eph}}}
 \newcommand{\EphemeralPrivate}{\mathsf{sk_{eph}}}
 \newcommand{\Value}{\mathsf{v}}
@ -258,7 +270,7 @@ ensuring that the functions are independent.
 \newsavebox{\addrbox}
 \begin{lrbox}{\addrbox}
 \begin{bytefield}[bitwidth=0.065em]{512}
-        \bitbox{242}{256 bit $\SpendAuthorityPrivate$} &
+        \bitbox{242}{256 bit $\AuthPrivate$} &
        \bitbox{14}{0} &
        \bitbox{14}{0} &
        \bitbox{242}{$0^{254}$} &
@ -268,7 +280,7 @@ ensuring that the functions are independent.
 \newsavebox{\snbox}
 \begin{lrbox}{\snbox}
 \begin{bytefield}[bitwidth=0.065em]{512}
-        \bitbox{242}{256 bit $\SpendAuthorityPrivate$} &
+        \bitbox{242}{256 bit $\AuthPrivate$} &
        \bitbox{14}{0} &
        \bitbox{14}{1} &
        \bitbox{242}{$\Leading{254}(\CoinAddressRand)$} &
@ -278,7 +290,7 @@ ensuring that the functions are independent.
 \newsavebox{\pkbox}
 \begin{lrbox}{\pkbox}
 \begin{bytefield}[bitwidth=0.065em]{512}
-        \bitbox{242}{256 bit $\SpendAuthorityPrivate$} &
+        \bitbox{242}{256 bit $\AuthPrivate$} &
        \bitbox{14}{1} &
        \bitbox{14}{0} &
        \bitbox{14}{$i$} &
@ -303,9 +315,9 @@ is associated with this bit-packing.}

 \begin{equation*}
 \begin{aligned}
-\SpendAuthorityPublic &:= \PRFaddr{\SpendAuthorityPrivate}(0) &= \CRHbox{\addrbox} \\
-\sn &:= \PRFsn{\SpendAuthorityPrivate}(\CoinAddressRand) &= \CRHbox{\snbox} \\
-\h{i} &:= \PRFpk{\SpendAuthorityPrivate}(i, \hSig) &= \CRHbox{\pkbox} \\
+\AuthPublic &:= \PRFaddr{\AuthPrivate}(0) &= \CRHbox{\addrbox} \\
+\sn &:= \PRFsn{\AuthPrivate}(\CoinAddressRand) &= \CRHbox{\snbox} \\
+\h{i} &:= \PRFpk{\AuthPrivate}(i, \hSig) &= \CRHbox{\pkbox} \\
 \setchanged \CoinAddressRandNew{i} &\setchanged := \PRFrho{\CoinAddressPreRand}(i, \hSig)
 &\setchanged = \CRHbox{\rhobox}
 \end{aligned}
@ -314,43 +326,68 @@ is associated with this bit-packing.}
 \daira{Should we instead define $\CoinAddressRand$ to be 254 bits and $\hSig$ to be
 253 bits?}

-\subsection{Confidential Addresses and Private Keys}
+\subsection{Payment Addresses, Viewing Keys, and Spending Keys}
+
+A \keyTuple $(\PaymentAddress, \ViewingKey, \SpendingKey)$ is generated
+by users who wish to receive payments under this scheme. The parts of
+the \keyTuple are composed from three distinct keypairs, called the
+\authKeypair, \transmitKeypair, and \discloseKeypair keypairs.

-\nathan{This term, \publicAddress, may be confusing by comparison to
-a ``private key''. In the latter case the adjective is reminding a
-user of their responsibility to protect its privacy, but in the case
-of \publicAddress we want users to know ``transfers to this address
-are confidential, but the address itself *may* be published or kept
-confidential depending on your needs. Two different people can compare
-addresses to know they have the same \publicAddress.''}
+\begin{itemize}
+  \item The \paymentAddress $\PaymentAddress$ is a pair
+        $(\AuthPublic, \TransmitPublic)$, containing the \em{public}
+        components of the \authKeypair and \transmitKeypair keypairs
+        respectively.
+  \item The \viewingKey $\ViewingKey$ is a pair
+        $(\TransmitPrivate, \DisclosePrivate)$, containing the \em{private}
+        components of the \transmitKeypair and \discloseKeypair keypairs
+        respectively.
+  \item The \spendingKey $\SpendingKey$ is a triple
+        $(\AuthPrivate, \TransmitPrivate, \DisclosePrivate)$,
+        containing the \em{private} components of the \authKeypair,
+        \transmitKeypair, and \discloseKeypair keypairs respectively.
+\end{itemize}

-A key pair $(\PublicAddress, \PrivateAddress)$ is generated by
-users who wish to receive coins under this scheme. The tuple parts
-embody two distinct keypairs used for different purposes called
-the \spendAuthority and the \transmitPublicAlgorithm keypair. The
-\publicAddress $\PublicAddress$ is a tuple $(\SpendAuthorityPublic,
-\TransmitPublic)$, containing the public components of the \spendAuthority
-and \transmitPublicAlgorithm respectively. The $\PrivateAddress$ is
-a tuple $(\SpendAuthorityPrivate, \TransmitPrivate)$, containing the
-secret components respectively.
+The following diagram depicts the relations between key components.
+Arrows point from a private component to the corresponding public
+component derived from it.

-\nathan{A diagram could really help here.}
+\begin{center}
+\includegraphics[scale=1]{key_components}
+\end{center}
+
+Note that a \spendingKey holder can derive
+$(\SpendPublic, \TransmitPublic, \ViewPublic)$, and a \viewingKey holder
+can derive $(\TransmitPublic, \ViewPublic)$, even though these components
+are not formally part of the respective keys. Implementations \MAY cache
+these derived public components, provided that they are deleted if the
+corresponding private component is deleted.
+
+The composition of \paymentAddresses, \viewingKeys, and \spendingKeys
+is a cryptographic protocol detail that should not normally be
+exposed to users. However, user-visible operations should be provided
+to:
+
+\begin{itemize}
+  \item obtain a \viewingKey from a \spendingKey; and
+  \item obtain a \publicAddress from a \spendingKey.
+\end{itemize}

 Users can accept payment from multiple parties with a single
-$\PublicAddress$ and the fact that these payments are destined to
+$\PaymentAddress$ and the fact that these payments are destined to
 the same payee is not revealed on the blockchain, even to the
 paying parties. \emph{However} if two parties collude to compare a
-$\PublicAddress$ they can trivially determine they are the same. In the
+$\PaymentAddress$ they can trivially determine they are the same. In the
 case that a payee wishes to prevent this they should create a distinct
-\publicAddress for each payer.
+\paymentAddress for each payer.

 \subsection{Coins}

-A \coin (denoted $\Coin$) is a tuple $\changed{(\SpendAuthorityPublic, \Value,
+A \coin (denoted $\Coin$) is a tuple $\changed{(\AuthPublic, \Value,
 \CoinAddressRand, \CoinCommitRand)}$ which represents that a value $\Value$ is
-spendable by the recipient who holds the $\spendAuthority$ key pair
-$(\SpendAuthorityPublic, \SpendAuthorityPrivate)$ such that
-$\SpendAuthorityPublic = \PRFaddr{\SpendAuthorityPrivate}(0)$.
+spendable by the recipient who holds the $\authorization$ key pair
+$(\AuthPublic, \AuthPrivate)$ such that
+$\AuthPublic = \PRFaddr{\AuthPrivate}(0)$.

 $\CoinCommitRand$ is randomly generated by the sender. \changed{$\CoinAddressRand$
 is generated from a random seed $\CoinAddressPreRand$ using
@ -363,9 +400,9 @@ the value and recipient \emph{except} to those who possess these tokens.
 In order to transmit the secret $\Value$, $\CoinAddressRand$, and $\CoinCommitRand$
 (necessary for the recipient to later spend) \changed{and also a \memo} to the
 recipient \emph{without} requiring an out-of-band communication channel, the
-$\transmitPublicAlgorithm$ public key $\TransmitPublic$ is used to encrypt these
+$\transmitAuthority$ public key $\TransmitPublic$ is used to encrypt these
 secrets to form a \coinsCiphertext. The recipient's possession of the associated
-$(\PublicAddress, \PrivateAddress)$ (which contains both $\SpendAuthorityPublic$ and
+$(\PaymentAddress, \SpendingKey)$ (which contains both $\AuthPublic$ and
 $\TransmitPrivate$) is used to reconstruct the original \coin \changed{ and \memo}.

 \changed{
@ -449,14 +486,14 @@ break of the IK-CCA (key privacy) property.

 \subsubsection{Coin Commitments}

-The underlying $\Value$ and $\SpendAuthorityPublic$ are blinded with $\CoinAddressRand$
+The underlying $\Value$ and $\AuthPublic$ are blinded with $\CoinAddressRand$
 and $\CoinCommitRand$ using the collision-resistant hash function $\CRH$ in a
 multi-layered process. The resulting hash $\cm = \CoinCommitment{\Coin}$.

 \newsavebox{\ihbox}
 \begin{lrbox}{\ihbox}
 \begin{bytefield}[bitwidth=0.08em]{512}
-	\bitbox{256}{256 bit $\SpendAuthorityPublic$} &
+	\bitbox{256}{256 bit $\AuthPublic$} &
 	\bitbox{256}{256 bit $\CoinAddressRand$}
 \end{bytefield}
 \end{lrbox}
@ -489,8 +526,8 @@ multi-layered process. The resulting hash $\cm = \CoinCommitment{\Coin}$.
 \subsubsection{Serial numbers}

 A \serialNumber (denoted $\sn$) equals 
-$\PRFsn{\SpendAuthorityPrivate}(\CoinAddressRand)$. A \coin is spent by proving
-knowledge of $\CoinAddressRand$ and $\SpendAuthorityPrivate$ in zero knowledge while
+$\PRFsn{\AuthPrivate}(\CoinAddressRand)$. A \coin is spent by proving
+knowledge of $\CoinAddressRand$ and $\AuthPrivate$ in zero knowledge while
 disclosing $\sn$, allowing $\sn$ to be used to prevent double-spending.

 \subsection{Coin Commitment Tree}
@ -621,7 +658,7 @@ $\cmNew{\mathrm{1}..\NNew}$.
 (\changed{$\ephemeralKey$ and} $\ciphertexts$ together form the \coinsCiphertext.)

 \item $\vmacs$ which is a $\NOld$ size sequence of message authentication tags
-$\h{\mathrm{1}..\NOld}$ that bind $\hSig$ to each $\SpendAuthorityPrivate$ of the
+$\h{\mathrm{1}..\NOld}$ that bind $\hSig$ to each $\AuthPrivate$ of the
 $\PourDescription$.

 \item $\zkproof$ which is the zero-knowledge proof $\PourProof$.
@ -695,15 +732,15 @@ In \Zcash, $\NOld$ and $\NNew$ are both $2$.
 A valid instance of $\PourProof$ assures that given a \term{primary input}
 $(\rt, \snOld{\mathrm{1}..\NOld}, \cmNew{\mathrm{1}..\NNew}, \changed{\vpubOld,\;}
 \vpubNew, \hSig, \h{1..\NOld})$, a witness of \term{auxiliary input}
-$(\treepath{1..\NOld}, \cOld{1..\NOld}, \SpendAuthorityPrivateOld{\mathrm{1}..\NOld},
+$(\treepath{1..\NOld}, \cOld{1..\NOld}, \AuthPrivateOld{\mathrm{1}..\NOld},
 \cNew{1..\NNew}\changed{, \CoinAddressPreRand})$ exists, where:

 \begin{list}{}{}

-\item for each $i \in \{1..\NOld\}$: $\cOld{i}$ = $(\SpendAuthorityPublicOld{i},
+\item for each $i \in \{1..\NOld\}$: $\cOld{i}$ = $(\AuthPublicOld{i},
 \vOld{i}, \CoinAddressRandOld{i}, \CoinCommitRandOld{i})$

-\item for each $i \in \{1..\NNew\}$: $\cNew{i}$ = $(\SpendAuthorityPublicNew{i},
+\item for each $i \in \{1..\NNew\}$: $\cNew{i}$ = $(\AuthPublicNew{i},
 \vNew{i}, \CoinAddressRandNew{i}, \CoinCommitRandNew{i})$

 \item The following conditions hold:
@ -723,16 +760,16 @@ $\changed{\vpubOld +} \vsum{i=1}{\NOld} \vOld{i} = \vpubNew + \vsum{i=1}{\NNew}
 \subparagraph{Serial integrity}

 for each $i \in \{1..\NNew\}$: 
-$\snOld{i} = \PRFsn{\SpendAuthorityPrivateOld{i}}(\CoinAddressRandOld{i})$.
+$\snOld{i} = \PRFsn{\AuthPrivateOld{i}}(\CoinAddressRandOld{i})$.

 \subparagraph{Spend authority}

 for each $i \in \{1..\NOld\}$:
-$\SpendAuthorityPublicOld{i} = \PRFaddr{\SpendAuthorityPrivateOld{i}}(0)$.
+$\AuthPublicOld{i} = \PRFaddr{\AuthPrivateOld{i}}(0)$.

 \subparagraph{Non-malleability}

-for each $i \in \{1..\NOld\}$: $\h{i}$ = $\PRFpk{\SpendAuthorityPrivateOld{i}}(i, \hSig)$
+for each $i \in \{1..\NOld\}$: $\h{i}$ = $\PRFpk{\AuthPrivateOld{i}}(i, \hSig)$

 \changed{
 \subparagraph{Uniqueness of $\CoinAddressRandNew{i}$}
@ -769,8 +806,8 @@ These are encoded in the same way as in \Bitcoin \cite{Base58Check}.

 \subsection{Confidential Public Addresses}

-A \publicAddress consists of $\SpendAuthorityPublic$ and $\TransmitPublic$.
-$\SpendAuthorityPublic$ is a SHA-256 compression function output.
+A \paymentAddress consists of $\AuthPublic$ and $\TransmitPublic$.
+$\AuthPublic$ is a SHA-256 compression function output.
 $\TransmitPublic$ is a \changed{Curve25519} public key, for use with the
 encryption scheme defined in section ``In-band secret distribution".

@ -780,18 +817,18 @@ The raw encoding of a confidential address consists of:

 \begin{equation*}
 \begin{bytefield}[bitwidth=0.07em]{520}
-    \bitbox{48}{\changed{$\PublicAddressLeadByte$}} &
-    \bitbox{256}{$\SpendAuthorityPublic$ (32 bytes)} &
+    \bitbox{48}{\changed{$\PaymentAddressLeadByte$}} &
+    \bitbox{256}{$\AuthPublic$ (32 bytes)} &
    \bitbox{256}{A \changed{32-byte} encoding of $\TransmitPublic$}
 \end{bytefield}
 \end{equation*}

 \begin{itemize}
 \changed{
-    \item A byte, $\PublicAddressLeadByte$, indicating this version of the
+    \item A byte, $\PaymentAddressLeadByte$, indicating this version of the
        raw encoding of a \Zcash public address.
 }
-    \item 32 bytes specifying $\SpendAuthorityPublic$.
+    \item 32 bytes specifying $\AuthPublic$.
    \item \changed{32 bytes} specifying $\TransmitPublic$, \changed{using the
        normal encoding of a Curve25519 public key \cite{Curve25519}}.
 \end{itemize}
@ -803,8 +840,8 @@ and produces `z' as the Base58Check leading character.}

 \subsection{Confidential Address Secrets}

-A confidential address secret consists of $\SpendAuthorityPrivate$ and
-$\TransmitPrivate$. $\SpendAuthorityPrivate$ is a SHA-256 compression function
+A confidential address secret consists of $\AuthPrivate$ and
+$\TransmitPrivate$. $\AuthPrivate$ is a SHA-256 compression function
 output. $\TransmitPrivate$ is a \changed{Curve25519} private key, for use with
 the encryption scheme defined in section ``In-band secret distribution".

@ -814,18 +851,18 @@ The raw encoding of a confidential address secret consists of, in order:

 \begin{equation*}
 \begin{bytefield}[bitwidth=0.07em]{520}
-    \bitbox{48}{\changed{$\PrivateAddressLeadByte$}} &
-    \bitbox{256}{$\SpendAuthorityPrivate$ (32 bytes)} &
+    \bitbox{48}{\changed{$\SpendingKeyLeadByte$}} &
+    \bitbox{256}{$\AuthPrivate$ (32 bytes)} &
    \bitbox{256}{$\TransmitPrivate$ (32 bytes)}
 \end{bytefield}
 \end{equation*}

 \begin{itemize}
 \changed{
-    \item A byte $\PrivateAddressLeadByte$ indicating this version of the
+    \item A byte $\SpendingKeyLeadByte$ indicating this version of the
        raw encoding of a \Zcash private key.
 }
-    \item 32 bytes specifying $\SpendAuthorityPrivate$.
+    \item 32 bytes specifying $\AuthPrivate$.
    \item 32 bytes specifying $\TransmitPrivate$.
 \end{itemize}

@ -840,7 +877,7 @@ Transmitted coins are stored on the blockchain in encrypted form, together with
 a \coinCommitment $\cm$.

 The \coinPlaintexts associated with a \PourDescription are encrypted to the
-respective \transmitPublicAlgorithm keys $\TransmitPublicNew{\mathrm{1}..\NNew}$,
+respective \transmitAuthority keys $\TransmitPublicNew{\mathrm{1}..\NNew}$,
 and the result forms a \coinsCiphertext.

 Each \coinPlaintext consists of $(\Value, \CoinAddressRand, \CoinCommitRand\changed{, \Memo})$,
@ -849,7 +886,7 @@ where:
 \begin{itemize}
    \item $\Value$ is a 64-bit unsigned integer representing the value of the
        \coin in \zatoshi (1 \ZEC = $10^8$ \zatoshi).
-    \item $\CoinAddressRand$ is a 32-byte $\PRFsn{\SpendAuthorityPrivate}$ preimage.
+    \item $\CoinAddressRand$ is a 32-byte $\PRFsn{\AuthPrivate}$ preimage.
    \item $\CoinCommitRand$ is a 48-byte \COMMtrapdoor.
 \changed{
    \item $\Memo$ is a 64-byte \memo associated with this \coin.
@ -915,9 +952,9 @@ TBD.
    \item Instead of ECIES, we use an encryption scheme based on $\CryptoBox$,
 defined in section ``In-band secret distribution".
    \item Faerie Gold fix (TBD).
-    \item The paper defines a coin as a tuple $(\SpendAuthorityPublic, \Value,
+    \item The paper defines a coin as a tuple $(\AuthPublic, \Value,
 \CoinAddressRand, \CoinCommitRand, \CoinCommitS, \cm)$, whereas this specification
-defines it as $(\SpendAuthorityPublic, \Value, \CoinAddressRand, \CoinCommitRand)$.
+defines it as $(\AuthPublic, \Value, \CoinAddressRand, \CoinCommitRand)$.
 This is just a clarification, because the instantiation of $\COMM{\CoinCommitS}$
 in section 5.1 of the paper does not use $\CoinCommitS$, and $\cm$ can be computed
 from the other fields.